Security Bits Logo

Security Bits – 11 January 2019

Followups

Notable Security Updates

Notable News

  • Phishing just got quite a bit more dangerous with the release of a new penetration-test/hacking tool designed to automate reverse-proxy-style 2FA hacks similar to those recently reported being used against the US government and Amnesty International. The tool is named Modlishka, which is the Polish for Mantis (Editorial by Bart: the existence of software like this just makes it ever more important to check the URL in the address bar before you enter your 2FA code, username, or password) — nakedsecurity.sophos.com/…
  • 🇪🇺 A draft list of supposed piracy sites posted by EU law makers in preparation for the implementation of Article 13 of the controversial new European Copyright Directive has raised serious concerns about this law’s possible impact on the internet. Perhaps most glaringly, the list include CloudFlare as a supposed piracy site — www.macobserver.com/…
  • 🇪🇺 The European Commission has announced 15 new bug bounty programs to reward researchers who find and responsibly disclose bugs in many popular free and open source apps — nakedsecurity.sophos.com/…
  • The Dutch consumer agency de Consumentenbond tested facial recognition technology on 110 phones (iPhones and Android phones), and found it could be easily fooled with a simple high-resolution photo on 42 of the tested Android devices . An additional six Android devices failed the test with their default settings, but could be configured to use stricter modes that could not be bypassed — nakedsecurity.sophos.com/…
    • The original report is in Dutch (as you’d expect from a Dutch agency), but you can find the 42 phones that failed the test completely listed under the heading Toestellen ontgrendeld met een foto (translation: devices unlocked with a photo), and those that failed in their default configuration but could be re-configured to be secure under the heading Toestellen ontgrendeld met een foto, maar met betere beveiliging (translation: Devices unlocked with a photo, but with better security). Finally, for completeness, you’ll find the list of 57 devices that passed the test under the heading Toestellen die niet met een foto zijn te ontgrendelen (translation: Devices that were not unlocked with a photo) including all tested iPhones— www.consumentenbond.nl/…
  • 🇺🇸 Research by Motherboard finds that US carriers are still selling customer location data (having promised to stop after a damaging exposé last June), and $300 is all it costs to buy the location of any given US cellphone — motherboard.vice.com/…
    • Federal law makers responded with calls for an investigation — www.washingtonpost.com/…
    • AT&T responded to this reporting by promising to stop selling user data (again), T-Mobile & Sprint also say they will stop, and Verizon said it stopped a long time ago — www.macobserver.com/…
  • The Intercept reports that employees in Ring’s research centre in Ukraine can bring up any video from any Ring doorbell with nothing more than the customer’s email address — theintercept.com/… & www.imore.com/…
    • We talked about how Ring announced in 2016 that HomeKit was coming (but it’s not here yet): blog.ring.com/…
  • Investigations by 9to5Mac have found that the popular parcel tracking app Parcels – Track Your Packages (not the even more popular app Parcel) recruits all devices running the app into what is effectively a single-purpose botnet for carrying out the work you would expect to be done on servers run by the developers. This is an interesting way for the company to avoid the expense of running servers, and paying for bulk access to APIs. It also comes at a privacy cost to users. The app exists for both iOS and Android, but 9to5Mac only tested the iOS version — 9to5mac.com/…
  • Contrary to what you may have heard, the privacy-protecting search engine DuckDuckGo is not using browser fingerprinting to track users — techcrunch.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top